On Sun, 2005-07-24 at 11:37 +0200, Robert Allerstorfer wrote:
I have noticed the 'ssl_cipher_list' directive in the 1.0-test snapshots which is not in 0.99. It's default value seems to be "all:!low". However, this would not be compatible with openssl's cipher listing format. Thus, I would vote to change it's format to be openssl compatible. To be compatible, it has to be changed to "ALL:!LOW" (just upercased in this case). IMO, this would be helpful because executing
I noticed the Debian bugreport about this. ALL:!LOW is actually the default internally, all:!low is shown only in dovecot-example.conf. I've changed that already.
I want dovecot to only accept high encrypted ciphers, thus it should support
ssl_cipher_list = ALL:!ADH!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
But will it break some clients? Especially some mobile phones? Are there some recommendations of what that list should contain?
This would really make "Dovecot (...) written with security primarily in mind"
Well, it's just the SSL part and only thing it does is to prevent correctly behaving but lowly-secured clients from connecting. Perhaps the default should be different depending on if disable_plaintext_auth setting. At least there's no reason to prevent lowly secured connections from working if the "fix" is to disable SSL entirely.